[csw-buildfarm] Nmap access to Solaris build farm

Dagobert Michelsen dam at opencsw.org
Fri Sep 30 17:39:59 CEST 2011


Hi David,

Am 29.09.2011 um 17:46 schrieb Dagobert Michelsen:
> Am 29.09.2011 um 16:24 schrieb David Fifield:
>> On Thu, Sep 29, 2011 at 11:42:36AM +0200, Dagobert Michelsen wrote:
>>> Am 29.09.2011 um 00:05 schrieb David Fifield:
>>>> On Wed, Sep 28, 2011 at 02:57:05PM -0700, David Fifield wrote:
>>>>> In http://seclists.org/nmap-dev/2011/q3/646, you offered to let us have
>>>>> access to the Solaris build farm for the purpose of testing Nmap. We'd
>>>>> like to accept the offer.
>>>>> 
>>>>> I've seen the page at
>>>>> http://www.opencsw.org/extend-it/contribute-packages/build-standards/build-machines/.
>>>>> Here is an SSH public key. If you need a user name, "nmap" will do. Do
>>>>> you need anything else?
>>>> 
>>>> I forgot to add: does build farm access include root access? Most
>>>> non-trivial testing of Nmap requires access to raw sockets.
>>> 
>>> Not by default. What do you need? Will an internal zone without
>>> connection to the internet (only via the login server) suffice? We are
>>> a bit short on official IP adresses, but if you need one I can set up
>>> a special zone with root access just for nmap and a dedicated network
>>> interface.
>> 
>> It doesn't necessarily have to have raw sockets to the Internet; just
>> being able to scan internal IPs would be okay.
>> 
>> We had trouble with another Solaris zone because it didn't have the
>> /dev/ip device. I found this documentation:
>> 
>> http://docs.huihoo.com/opensolaris/solaris-containers-resource-management-and-solaris-zones/html/p87.html
>>       In general, all applications can run in a non-global zone.
>>       However, the following types of applications might not be
>>       suitable for this environment:
>>       * The few applications dependent upon certain devices that do
>>         not exist in a non-global zone, such as /dev/kmem or /dev/ip.
>> 
>> I think, in short, that we need the DLPI interface; i.e., the "snoop"
>> command would have to work. From what I read, that would expose even
>> traffic destined to other zones, so a dedicated network interface is a
>> good idea if that's easy to do.
> 
> A zone with exclusive interface may suffice, I'll set this up tomorrow.
> If that is not enough I can generate a vSphere VM which definitely
> fits your requirements, but has also a larger footprint in terms of
> patching etc. so I would go with a zone first.
> 
> I'll keep you informed.

I made a new zone Solaris 10 Sparc with exclusive interface vnet2:
  david at login [login]:~ > ssh root at nmap10s

It is not really separated from the other buildfarm traffic, so please
do not fubar the installation. The zone still has some minor issues which
however should not disturb initial testing. Please let me know if you
see anything strange.


Best regards

  -- Dago

-- 
"You don't become great by trying to be great, you become great by wanting to do something,
and then doing it so hard that you become great in the process." - xkcd #896




More information about the buildfarm mailing list